Sednit espionage group now using custom exploit kit

BY ESET RESEARCH
For at least five years the Sednit group has been relentlessly attacking various institutions, most notably in Eastern Europe. The group used several advanced pieces of malware for these targeted attacks, in particular the one we named Win32/Sednit, also known as Sofacy.

We recently came across cases of legitimate financial websites being redirected to a custom exploit kit. Based on our research and on some information provided by the Google Security Team, we were able to establish that it is used by the Sednit group. This is a new strategy for this group which has relied mostly on spear-phishing emails up until now.

In this blog, we will first examine on recent cases of spear-phishing emails using the CVE-2014-1761 Microsoft Word exploit. We will then focus on the exploit kit, which appears to still be in development and testing phase, and briefly describe the actual payload.

The Sednit espionage group, also known as the Sofacy group, APT28 or “Fancy Bear”, has been targeting various institutions for many years. We recently discovered a component the group employed to reach physically isolated computer networks — “air-gapped” networks — and exfiltrate sensitive files from them through removable drives.

Over the last few weeks several pieces of intelligence have been shared on this group, including the Operation Pawn Storm report from Trend Micro and the APT28 report from FireEye.

In this blog post, we are sharing knowledge of a tool employed to extract sensitive information from air-gapped networks. ESET detects it as Win32/USBStealer.